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DETAILED ACTION 



Continued Examination Under 37 CFR 1.114 



1 . A request for continued examination under 37 CFR 1.114, including the fee set forth in 
37 CFR 1.17(e), was filed in this application after final rejection. Since this application is 
eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) 
has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 
37 CFR 1.114. Applicant's submission filed on 09/17/03 has been entered. 

2. The following is a non-final office action in response to the request for continued 
examination received on 09/17/03. Claims 1, 10, 14, and 16 have been amended. Claims 1-18 
are now pending in this Application. 



3. Applicant's argument with regard to the rejections based on Weinstock et al. (U.S. 
6,223,143) has been fully considered but it is not persuasive. In the remarks, the Applicant 
argues that Weinstock et al. does not teach or suggest identifying control procedures that are 
deemed as a means to mitigate risk. 

In response to the argument of the Applicant, Examiner respectfully disagrees. 
Weinstock et al. teaches identifying risks, creating an outline (or control procedure) of the events 
that occur in producing each of the risks, assigning a weight to each outline, and then rating and 
ranking the outlines by quantifying/assessing the ordered set of events. Weinstock et al. teaches 
that after these steps occur, a sensitivity feature is used to allow modification of the control 
procedures to assess how the risks could be mitigated. See specifically column 3, lines 15-37, 
and column 9, lines 5-24, but see at least column 2, lines 65-67, column 3, lines 25-37, column 7, 



Response to Arguments 
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lines 30-40, column 8, lines 5-10, 29-34, 45-48, and 53-55, column 9, lines 5-24, column 13, 
lines 42-59, and column 14, lines 1-5. Therefore, but manipulating and editing the control 
procedures that create the risk, a user can look at different options of how to minimize and 
eliminate risk and see the effects on the rest of the system. Examiner points out that Weinstock 
et al. teaches a "quantitative risk assessment system" that quantifies the risk of a project before 
the implementation of the project, and since it is well known that the purpose of risk assessment 
is to identify and eliminate risk, the purpose of Weinstock et al. is clearly the mitigation, or 
lessening, of risk. 

Claim Rejections - 35 USC §102 
4. The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that form the 
basis for the rejections under this section made in this Office action: 

A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the United 
States before the invention thereof by the applicant for patent, or on an international application by another who 
has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this title before the invention 
thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) do not apply to the examination of this application as the application being examined 
was not (1) filed on or after November 29, 2000, or (2) voluntarily published under 35 U.S.C. 
122(b). Therefore, this application is examined under 35 U.S.C. 102(e) prior to the amendment 
by the AIPA (pre-AIPA 35 U.S.C. 102(e)). 

Claims 1-3 and 6-18 are rejected under 35 U.S.C. 102(e) as being anticipated by 
Weinstock et al. (U.S. 6,223,143). 
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5. As per claim 1, Weinstock et al. teaches a method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and column 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. for at least one risk element, identifying one or more control procedures as a 
means for mitigating said risk element (See at least column 2, lines 65-67, column 3, 
lines 25-37, column 7, lines 30-40, column 8, lines 5-10, 29-34, 45-48, and 53-55, 
column 9, lines 5-24, column 13, lines 42-59, and column 14, lines 1-5, which discuss 
identifying one or more control procedures associated with each risk element, these 
control procedures being scenarios that result in risk and these control procedures being 
edited and manipulated to reduce and eliminate risk); 

c. associating said one or more control procedures with said risk element, said 
control procedures being stored in said database (See at least column 8, lines 5-10, 29-34, 
45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, wherein these 
control procedures being stored in the database); 

d. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 
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e. identifying a compliance rating for each said control procedure (See column 8, 
lines 45-67, column 9, lines 30-36, column 12, lines 23-42, column 22, lines 23-29, and 
column 23, lines 1-18, which discloses determining a compliance rating for each control 
procedure); and 

£ calculating a compliance score, each compliance score being a function of said 
assigned weights and said compliance rating of said control procedures (See at least 
column 8, lines 55-64, column 22, lines 23-29, and column 23, lines 1-5, which discuss 
calculating a compliance score, this score being a function of said assigned weights and 
said compliance rating of said control procedures). 
6. As per claim 2, Weinstock et al. teaches a method wherein said compliance ratings 
comprise at least one rating identifying a non- fully compliant control procedure, said method 
further comprising the steps of: 

a. for each said control procedure having a non-fiilly compliant rating, receiving a 
signal indicating whether said non-fully compliant control procedure is accepted or not 
accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 
23-37, which discuss for each control procedure not having a fully compliant rating, 
receiving a signal indicating whether the control procedure is accepted or not accepted); 
and 

b. for each of said non-fully compliant control procedure which is indicated as not 
accepted, generating an action plan (See column 9, lines 12-24, which discusses for each 
non- fully compliant control procedure generating an action plan). 
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7. As per claim 3, Weinstock et al. teaches a method wherein said action plan includes a 
target date, said method further comprising the step of calculating an expected compliance score 
for one or more future dates based on said action plan target dates (See column 3, lines 34-37, 
column 9, lines 12-24, column 1 1, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 
13, lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss the 
action plan, this action plan having target dates/times, and an expected compliance score is 
calculated using these target dates/times). 

8. As per claim 6, Weinstock et al. teaches a method further comprising the step of 
associating one or more parameters with each said compliance rating (See column 8, lines 45-67, 
column 9, lines 12-24, and column 16, lines 48-53, which discuss associating one or more 
parameters with each compliance rating). 

9. As per claim 7, Weinstock et al. teaches a method wherein said one or more parameters 
are selected from the group comprising organization, business line, process, and region (See at 
least column 8, lines 45-67, column 9, lines 6-11 and 12-24, column 16, lines 48-53, column 17, 
lines 25-40, and column 25, lines 16-25, which disclose process parameters). 

10. As per claim 8, Weinstock et al. teaches a method further comprising the step of sorting 
said compliance scores by said one or more parameters (See at least column 9, lines 6-11, 
column 17, lines 25-40, and column 25, lines 16-25, which disclose sorting the compliance 
scores by one or more parameters). 

11. As per claim 9, Weinstock et al. discloses a method further comprising the step of 
displaying said sorted compliance scores (See column 9, lines 6-11, and figure 5 A, which 
disclose displaying the sorted compliance scores). 



Application/Control Number: 09/545,38 1 Page 7 

Art Unit: 3623 * 

12. As per claim 10, Weinstock et al. teaches a method of managing risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and column 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. identifying one or more subrisk elements associated with each said risk elements, 
each subrisk element being stored in said database (See at least column 1, lines 14-16, 
column 2, lines 65-67, column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, 
lines 35-55, column 7, lines 45-50 and 59-67, column 8, lines 1-18, 29-34, 45-48, and 53- 
55, column 13, lines 42-59, and column 14, lines 1-5, which disclose identifying one or 
more subrisk element associated with the risk elements, this identified subrisks being 
stored in a database); 

c. for at least one subrisk element, identifying one or more control procedures 
associated as a means for mitigating subrisk element (See at least column 2, lines 65-67, 
column 3, lines 25-37, column 7, lines 30-40, column 8, lines 5-10, 29-34, 45-48, and 53- 
55, column 9, lines 5-24, column 13, lines 42-59, and column 14, lines 1-5, which discuss 
identifying one or more control procedures associated with each risk element, these 
control procedures being scenarios that result in risk and these control procedures being 
edited and manipulated to reduce and eliminate risk); 
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d. associating said one or more control procedures with said risk element, said 
control procedures being stored in said database (See at least column 8, lines 5-10, 29-34, 
45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, wherein these 
control procedures being stored in the database); 

e. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 

f. identifying a compliance rating for each said control procedure, said compliance 
ratings including a plurality of categories including at least one category indicating said 
control procedure is not fully compliant (See column 8, lines 45-67, column 9, lines 30- 
36, column 12, lines 23-42, column 22, lines 23-29, and column 23, lines 1-18, which 
discloses determining a compliance rating for each control procedure, the compliance 
rating having a plurality of categories including categories indicating the control 
procedure is not fully compliant); 

g. calculating a compliance score, said compliance score being a function of said 
assigned weights and said compliance rating of said control procedures (See at least 
column 8, lines 55-64, column 22, lines 23-29, and column 23, lines 1-5, which discuss 
calculating a compliance score, this score being a function of said assigned weights and 
said compliance rating of said control procedures); 

h. for each subrisk, determining whether at least one control procedure associated 
with said subrisk is not fully compliant (See column 8, lines 55-64, column 9, lines 1-5 
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and 5-24, and column 22, lines 23-37, which discuss at least one control procedure not 



having a fully compliant rating); 



for each subrisk associated with at least one control procedure which is not fully 



compliant, receiving a signal indicating whether said subrisk should be accepted or not 
accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 
23-37, which discuss for each control procedure not having a fully compliant rating, 
receiving a signal indicating whether the control procedure is accepted or not accepted); 
and 

j. for each subrisk which is indicated as not accepted, generating an action plan (See 
column 9, lines 12-24, which discusses for each non- fully compliant control procedure 
generating an action plan). 

13. As per claim 11, Weinstock et al. teaches a method wherein said action plan further 
includes a target date, said method further comprising the step of calculating a future compliance 
score based on said action plan target dates (See column 3, lines 34-37, column 9, lines 12-24, 
column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 

14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss the action plan, this action 
plan having target dates/times, and an expected compliance score is calculated using these target 
dates/times). 

14. As per claim 12, Weinstock et al. teaches a method further comprising the step of 
associating one or more parameters with each said compliance rating (See column 8, lines 45-67, 
column 9, lines 12-24, and column 16, lines 48-53, which discuss associating one or more 
parameters with each compliance rating). 
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15. As per claim 13, Weinstock et al. teaches a method further comprising the step of sorting 
said compliance ratings and displaying said sorted ratings (See at least column 9, lines 6-11, 
column 17, lines 25-40, and column 25, lines 16-25, which disclose sorting the compliance 
scores by one or more parameters. See column 9, lines 6-11, and figure 5 A, which disclose 
displaying the sorted compliance scores). 

16. As per claim 14, Weinstock et al. teaches a method of forecasting risk with the aid of a 
computer system, said method comprising: 

a. identifying a set of risk elements, said risk elements being stored in a database 
coupled to said computer (See at least column 1, lines 14-16, column 2, lines 65-67, 
column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35-55, column 7, 
lines 45-50 and 59-67, and column 8, lines 1-18, which disclose identifying a set of risk 
elements, said risk elements being stored in a database coupled to said computer); 

b. for at least one risk element, identifying one or more control procedures as a 
means for mitigating said risk element (See at least column 2, lines 65-67, column 3, 
lines 25-37, column 7, lines 30-40, column 8, lines 5-10, 29-34, 45-48, and 53-55, 
column 9, lines 5-24, column 13, lines 42-59, and column 14, lines 1-5, which discuss 
identifying one or more control procedures associated with each risk element, these 
control procedures being scenarios that result in risk and these control procedures being 
edited and manipulated to reduce and eliminate risk); 

c. associating said one or more control procedures with said risk element, said 
control procedures being stored in said database (See at least column 8, lines 5-10, 29-34, 
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45-48, and 53-55, column 13, lines 42-59, and column 14, lines 1-5, wherein these 
control procedures being stored in the database); 

d. assigning a weight to each said control procedure (See column 8, lines 46-52, 
column 9, lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, 
which disclose assigning a weight to each of said control procedures); 

e. identifying a compliance rating for each said control procedure, said compliance 
rating chosen from a set of ratings including at least one rating identifying a non- fully 
compliant control procedure and at least one rating identifying fully compliant control 
procedures (See column 8, lines 45-67, column 9, lines 30-36, column 12, lines 23-42, 
column 22, lines 23-29, and column 23, lines 1-18, which discloses determining a 
compliance rating for each control procedure, the compliance rating chosen from a set of 
ratings including at least one indicating a non- fully compliant control procedure and at 
least one indicating fully compliant control procedures). 

f. for each said control procedure having a non-fully compliant rating, generating an 
action plan, said action plan including a target date for at least one action listed therein 
(See at least column 8, lines 55-64, column 22, lines 23-29, and column 23, lines 1-5, 
which discuss calculating a compliance score, this score being a function of said assigned 
weights and said compliance rating of said control procedures. See column 3, lines 34- 
37, column 9, lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8- 
24, column 13, lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, 
which discuss the action plan, this action plan having target dates/times); and 
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calculating an expected compliance score for a future date, said expected 



compliance score being a function of said assigned weights, said fully compliant control 
procedures, and said action plan target dates for said non-fully complaint control 
procedures (See column 3, lines 34-37, column 8, lines 45-67, column 9, lines 12-24 and 
30-36, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 
5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which discuss 
calculating an expected compliance score for an action plan, this action plan having target 
dates/times). 

17. As per claim 15, Weinstock et al. teaches a method wherein said action plan comprises a 
signal indicating whether said non-fully compliant rating is accepted or not accepted, said 
expected compliance score further being a function of said non-fully compliant ratings which 
have been accepted (See column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, 
lines 23-37, which discuss for each control procedure not having a fully compliant rating, 
receiving a signal indicating whether the control procedure is accepted or not accepted. The 
expected compliance score is a function of non-fully compliant ratings, some of which have been 
accepted). 

18. As per claim 16, Weinstock et al. teaches a data processing system for managing risk, 
said system comprising 

a. a database (See column 6, lines 42-50, which discloses the system comprising a 



database); 
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b. a processor coupled to said database, said processor being programmed to 
perform the steps comprising (See column 6, lines 42-50, which discloses the system 
comprising a processor coupled to a database. This processor performs steps): 

i. receiving a first signal identifying a set of risk elements, said risk elements 
being stored in said database (See at least column 1, lines 14-16, column 2, lines 
65-67, column 3, lines 1-7 and 13-16, column 5, lines 63-67, column 6, lines 35- 
55, column 7, lines 45-50 and 59-67, and column 8, lines 1-18, which disclose 
identifying a set of risk elements, said risk elements being stored in said 
database); 

ii. receive a second signal identifying one or more control procedures 
associated with each said risk element, said control procedure comprising a means 
to mitigate said risk element, said control procedure being stored in said database 
(See at least column 2, lines 65-67, column 3, lines 25-37, column 7, lines 30-40, 
column 8, lines 5-10, 29-34, 45-48, and 53-55, column 9, lines 5-24, column 13, 
lines 42-59, and column 14, lines 1-5, which discuss identifying one or more 
control procedures associated with each risk element, these control procedures 
being scenarios that result in risk and these control procedures being edited and 
manipulated to reduce and eliminate risk, said control procedures stored in a 
database); 

iii. receive a third signal assigning a weight to each said control procedure, 



Application/Control Number: 09/545,381 Page 14 

Art Unit: 3623 * 

said weight being stored in said database (See column 8, lines 46-52, column 9, 
lines 30-36, column 11, lines 49-67, and column 12, lines 8-17 and 47-65, which 
disclose assigning a weight to each of said control procedures); 

iv. receive a fourth signal identifying a compliance rating for each said 
control procedure (See column 8, lines 45-67, column 9, lines 30-36, column 12, 
lines 23-42, column 22, lines 23-29, and column 23, lines 1-18, which discloses 
identifying a compliance rating for each control procedure); and 

v. calculate a compliance score, said compliance score being a function of 
said assigned weights and said compliance rating of said control procedures (See 
at least column 8, lines 55-64, column 22, lines 23-29, and column 23, lines 1-5, 
which discuss calculating a compliance score, this score being a function of said 
assigned weights and said compliance rating of said control procedures). 

19. As per claim 17, Weinstock et al. teaches a data processing system wherein said 
compliance ratings comprise at least one rating identifying a non- fully compliant control 
procedure, said processor being further programmed to perform the steps comprising: 

a. for each said control procedure having a non-fully compliant rating, receiving a 
signal indicating whether said non-fully compliant rating is accepted or not accepted (See 
column 8, lines 55-64, column 9, lines 1-5 and 5-24, and column 22, lines 23-37, which 
discuss for each control procedure not having a fully compliant rating, receiving a signal 
indicating whether the control procedure is accepted or not accepted); 

b. for each said non-fully compliant control procedure which is indicated as not 
accepted, receiving an action plan, said action plan including an expected target date for 
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implementation and an expected compliance rating (See column 3, lines 34-37, column 9, 
lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, 
lines 5-22, column 14, lines 22-47, and column 22, lines 23-39 and 63-65, which 
discusses for each non- fully compliant control procedure generating an action plan, this 
action plan having target dates/times); and 

c. generating one or more future expected compliance scores, said compliance 
scores being a function of said target dates, said assigned weights, and said expected 
compliance rating of said control procedures (See column 3, lines 34-37, column 8, lines 
55-64, column 9, lines 12-24, column 11, lines 49-53 and 60-67, column 12, lines 1-5 and 
8-24, column 13, lines 5-22, column 14, lines 22-47, column 22, lines 23-39 and 63-65, 
and column 23, lines 1-5, which discuss the action plan and generating a future expected 
compliance score using these target dates/times, assigned weights, and expected 
compliance ratings). 

20. As per claim 18, Weinstock et al. teaches a data processing system further comprising a 
computer display coupled to said processor, said processor further being programmed to display 
said compliance scores on a computer display (See column 6, lines 42-50, which discusses a 
computer display. See at least column 16, lines 33-41, column 18, lines 20-25, column 20, lines 
16-24, column 25, lines 33-37 and 51-53, and column 26, lines 34-38, which discuss displaying 
compliance scores on a computer display). 

Claim Rejections - 35 USC §103 

2 1 . The following is a quotation of 35 U.S.C. 1 03(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 
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(a) A patent may not be obtained though the invention is not identically disclosed or described as set forth in 
section 102 of this title, if the differences between the subject matter sought to be patented and the prior art are 
such that the subject matter as a whole would have been obvious at the time the invention was made to a person 
having ordinary skill in the art to which said subject matter pertains. Patentability shall not be negatived by the 
manner in which the invention was made. 



Claims 4 and 5 are rejected under 35 U.S.C. 103(a) as being unpatentable over Weinstock 
et al. (U.S. 6,223,143) in view of Strategies and Tactics ("Consulting Services"). 
22. As per claim 4, Weinstock et al. discloses a method comprising calculating compliance 
scores for the target dates, these compliance scores being calculated based on information about 
the project input by the user (See column 3, lines 34-37, column 9, lines 12-24, column 11, lines 
49-53 and 60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 14, lines 22-47, 
column 16, lines 50-56, and column 22, lines 23-39 and 63-65, which discuss calculating 
compliance scores for target dates based on user input). However, Weinstock et al does not 
expressly disclose the step of tracking whether said expected compliance scores have been met, 
said tracking including calculating actual compliance scores for the target dates. 

Strategies and Tactics discloses implementing an action plan and tracking the actual 
performance of this action plan and whether the expected performance measures of the action 
plan have been met (See pages 5-7, which discuss implementing an action plan, said action plan 
having an expected outcome, and tracking an implemented action plan to see actual 
performance). 

Both Weinstock et al. and Strategies and Tactics discuss assessing and managing risk 
through the implementation of alternative action plans that will minimize risk. It would have 
been obvious to one of ordinary skill in the art at the time of the invention to use tracked 
performance data as the data input into the system of Weinstock et al. by the user in order to 
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make the tool more capable of predicting and quantifying risks facing a system by validating the 
results produced by the tool and using any variations found to tune it. 
23. As per claim 5, Weinstock et al. discloses calculating expected compliance scores for 
said target dates based on data input by the user and displaying original values along with newly 
determined values (See column 3, lines 34-37, column 9, lines 12-24, column 1 1, lines 49-53 and 
60-67, column 12, lines 1-5 and 8-24, column 13, lines 5-22, column 14, lines 22-47, column 16, 
lines 50-56, and column 22, lines 23-39 and 63-65, which discuss calculating expected 
compliance scores for target dates based on user input. See column 25, lines 50-53, which 
discusses displaying original values along with newly determined values). However, Weinstock 
et al. does not expressly disclose calculating actual compliance for the target date or displaying 
specifically expected compliance scores versus actual compliance. 

Stratgies and Tactics discloses a method further comprising calculating actual compliance 
for the target dates and displaying results (See pages 6-7, which discusses actual compliance for 
the target dates and displaying the results). However, Strategies and Tactics does not expressly 
disclose displaying said expected compliance scores versus said actual compliance. 

Both Weinstock et al. and Strategies and Tactics discuss assessing and managing risk 
through the implementation of alternative action plans that will minimize risk. It would have 
been obvious to one of ordinary skill in the art at the time of the invention to use tracked 
performance data as the data input into the system of Weinstock et al. by the user in order to 
make the tool more capable of predicting and quantifying risks facing a system by validating the 
results produced by the tool and using any variations found to tune it. 
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Furthermore, displaying theoretical versus actual data for comparison purposes is old and 
well known. It would have been obvious to one of ordinary skill in the art at the time of the 
invention to display the actual versus the expected scores for the risk assessment target date in 
order to increase the comprehension of the results by the user of the tool by using a graphical aid. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to applicant's 
disclosure. 

Masch (U.S. 5,930,762) teaches a computer implemented risk management system that 
looks at the parameters of a physical system. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Beth Van Doren whose telephone number is (703) 305-3882. 
The examiner can normally be reached on M-F, 8:30-5:00. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Tariq Hafiz can be reached on (703) 305-9643. The fax phone number for the 
organization where this application or proceeding is assigned is (703) 305-7687. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is (703) 308-1 113. 



bvd 

November 17, 2003 




